Why are businesses exploring a zero-trust cyber security strategy?

THE “ZERO TRUST” approach to cybersecurity was drafted in 2010 by Security Consultant John Kindervag who, at the time, was working for Forrester Research as a Principal Analyst.

The approach essentially directs security teams to demand authentication for each application, from users both internal and external to the organization.

In contrast, the model most businesses currently follow tends to trust all internal users and expend all IT and cybersecurity efforts on preventing external users from gaining unauthorized access.

Back in 2010, leaning towards the zero trust model meant investing a significantly greater quantum of resources into the organization’s cyber security strategy to protect against bad actors.

Over the past decade, as organizations charge ahead with digital transformation and move applications to the cloud, collaborate with customers and vendors to share data and access to platforms, and support staff and customers across the globe, the zero trust approach starts to look like a smart idea.

Given the growing number of cyber security issues and the increased sophistication of hackers, a zero trust model definitely makes more sense — especially as regulators tighten the noose around companies that neglect data security.

Recently, for example, the UK Information Commissioner’s Office (ICO) announced an intention to fine British Airways GBP183.39 million (US$228.14 million) and Marriott International GBP99.2 million (US$123.38 million) for data breaches in the recent past.

On the other side of the pond, the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and various state-level regulatory bodies in the US levied US$700 million in fines on Equifax for its massive data breach back in 2017.

The final Equifax settlement includes a US$175 million civil penalty to states, US$100 million civil penalty to the CFPB, and a restitution fund for consumers, starting with US$380.5 million and up to US$505.5 million in total, with a cap of US$20,000 per consumer — as provided by the National Consumer Law Center (NCLC).

Further, companies realize that hackers aren’t always after transactional or financial data. More often than not, they’re after data that belongs to customers, and failing to protect that data results in loss of trust, damages to the company’s reputation, and puts the organization’s future at risk.

Back in 2010, a lot of experts steered away from Kindervag’s idea because it seemed like a resource-heavy proposal.

In today’s world, with all the advanced systems organizations have at their disposal, automating much of the effort to authenticate internal users is possible and means that all of a sudden, the zero trust model looks both, reasonable as well as feasible.

While saying that the zero trust model directs security professionals to demand authentication from all users, internal and external, seems like an oversimplification, it does represent the root principle: “Always verify, never trust”, as against the traditional principle of “trust but verify”.

Overall, in the world that we live in, a zero trust cyber security strategy seems quite reasonable. Organizations considering making the switching might do better than peers that don’t — after all, all things being equal, hackers tend to choose easy targets rather than taking on a challenge just for the sake of it.